Adds Bookstack & Joplin server parser, scenarios and tests (#833)

* Add Bookstack & Joplin parser, bf and tests

* Adds readme to new collections

.tests/bookstack-bf/bookstack-bf.log

@@ -0,0 +1,5 @@
+2023/09/23 09:58:51 [error] 298#298: *1093 FastCGI sent in stderr: "PHP message: Failed login for [email protected]" while reading response header from upstream, client: 1.2.3.4, server: _, request: "POST /login HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "bookstack.example.com", referrer: "https://bookstack.example.com/login"
+2023/09/23 09:58:52 [error] 298#298: *1093 FastCGI sent in stderr: "PHP message: Failed login for [email protected]" while reading response header from upstream, client: 1.2.3.4, server: _, request: "POST /login HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "bookstack.example.com", referrer: "https://bookstack.example.com/login"
+2023/09/23 09:58:53 [error] 298#298: *1093 FastCGI sent in stderr: "PHP message: Failed login for [email protected]" while reading response header from upstream, client: 1.2.3.4, server: _, request: "POST /login HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "bookstack.example.com", referrer: "https://bookstack.example.com/login"
+2023/09/23 09:58:55 [error] 298#298: *1093 FastCGI sent in stderr: "PHP message: Failed login for [email protected]" while reading response header from upstream, client: 1.2.3.4, server: _, request: "POST /login HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "bookstack.example.com", referrer: "https://bookstack.example.com/login"
+2023/09/23 09:58:59 [error] 298#298: *1093 FastCGI sent in stderr: "PHP message: Failed login for [email protected]" while reading response header from upstream, client: 1.2.3.4, server: _, request: "POST /login HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "bookstack.example.com", referrer: "https://bookstack.example.com/login"

.tests/bookstack-bf/config.yaml

@@ -0,0 +1,10 @@
+parsers:
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- ./parsers/s01-parse/xs539/bookstack-logs.yaml
+scenarios:
+- ./scenarios/xs539/bookstack-bf.yaml
+postoverflows:
+log_file: bookstack-bf.log
+log_type: bookstack
+ignore_parsers: true

.tests/bookstack-bf/scenario.assert

@@ -0,0 +1,37 @@
+len(results) == 1
+"1.2.3.4" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4"
+results[0].Overflow.Sources["1.2.3.4"].Range == ""
+results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip"
+results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "bookstack-bf.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "bookstack_failed_auth"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "bookstack"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "[email protected]"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-09-23T09:58:51Z"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "bookstack-bf.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "bookstack_failed_auth"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "bookstack"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "[email protected]"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-09-23T09:58:52Z"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "bookstack-bf.log"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "bookstack_failed_auth"
+results[0].Overflow.Alert.Events[2].GetMeta("service") == "bookstack"
+results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "[email protected]"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-09-23T09:58:53Z"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "bookstack-bf.log"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "bookstack_failed_auth"
+results[0].Overflow.Alert.Events[3].GetMeta("service") == "bookstack"
+results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "[email protected]"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-09-23T09:58:55Z"
+results[0].Overflow.Alert.GetScenario() == "xs539/bookstack-bf"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 4

.tests/bookstack-logs/bookstack-logs.log

@@ -0,0 +1 @@
+2023/09/23 09:58:54 [error] 298#298: *1093 FastCGI sent in stderr: "PHP message: Failed login for [email protected]" while reading response header from upstream, client: 1.2.3.4, server: _, request: "POST /login HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "bookstack.example.com", referrer: "https://bookstack.example.com/login"

.tests/bookstack-logs/config.yaml

@@ -0,0 +1,9 @@
+parsers:
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- ./parsers/s01-parse/xs539/bookstack-logs.yaml
+scenarios:
+postoverflows:
+log_file: bookstack-logs.log
+log_type: bookstack
+ignore_parsers: false

.tests/bookstack-logs/parser.assert

@@ -0,0 +1,38 @@
+len(results) == 4
+len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 1
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "bookstack"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2023/09/23 09:58:54 [error] 298#298: *1093 FastCGI sent in stderr: \"PHP message: Failed login for [email protected]\" while reading response header from upstream, client: 1.2.3.4, server: _, request: \"POST /login HTTP/1.1\", upstream: \"fastcgi://127.0.0.1:9000\", host: \"bookstack.example.com\", referrer: \"https://bookstack.example.com/login\""
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "bookstack-logs.log"
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 1
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
+len(results["s01-parse"]["xs539/bookstack-logs"]) == 1
+results["s01-parse"]["xs539/bookstack-logs"][0].Success == true
+results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Parsed["program"] == "bookstack"
+results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
+results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Parsed["timestamp"] == "2023/09/23 09:58:54"
+results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Parsed["target_user"] == "[email protected]"
+results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Parsed["message"] == "2023/09/23 09:58:54 [error] 298#298: *1093 FastCGI sent in stderr: \"PHP message: Failed login for [email protected]\" while reading response header from upstream, client: 1.2.3.4, server: _, request: \"POST /login HTTP/1.1\", upstream: \"fastcgi://127.0.0.1:9000\", host: \"bookstack.example.com\", referrer: \"https://bookstack.example.com/login\""
+results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["service"] == "bookstack"
+results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4"
+results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["target_user"] == "[email protected]"
+results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["datasource_path"] == "bookstack-logs.log"
+results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["xs539/bookstack-logs"][0].Evt.Meta["log_type"] == "bookstack_failed_auth"
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2023/09/23 09:58:54 [error] 298#298: *1093 FastCGI sent in stderr: \"PHP message: Failed login for [email protected]\" while reading response header from upstream, client: 1.2.3.4, server: _, request: \"POST /login HTTP/1.1\", upstream: \"fastcgi://127.0.0.1:9000\", host: \"bookstack.example.com\", referrer: \"https://bookstack.example.com/login\""
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "bookstack"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023/09/23 09:58:54"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["target_user"] == "[email protected]"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "bookstack-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "bookstack_failed_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "bookstack"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-09-23T09:58:54Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "[email protected]"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-09-23T09:58:54Z"
+len(results["success"][""]) == 0

.tests/joplin-server-bf/config.yaml

@@ -0,0 +1,10 @@
+parsers:
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- ./parsers/s01-parse/xs539/joplin-server-logs.yaml
+scenarios:
+- ./scenarios/xs539/joplin-server-bf.yaml
+postoverflows:
+log_file: joplin-server-bf.log
+log_type: joplin-server
+ignore_parsers: true

.tests/joplin-server-bf/joplin-server-bf.log

@@ -0,0 +1,5 @@
+2023-09-23 10:33:45: [error] App: 403: POST /api/sessions: 1.2.3.4: Invalid username or password: {"email":"[email protected]"}
+2023-09-23 10:34:45: [error] App: 403: POST /api/sessions: 1.2.3.4: Invalid username or password: {"email":"[email protected]"}
+2023-09-23 10:35:45: [error] App: 403: POST /api/sessions: 1.2.3.4: Invalid username or password: {"email":"[email protected]"}
+2023-09-23 10:36:45: [error] App: 403: POST /api/sessions: 1.2.3.4: Invalid username or password: {"email":"[email protected]"}
+2023-09-23 10:46:45: [error] App: 403: POST /api/sessions: 1.2.3.4: Invalid username or password: {"email":"[email protected]"}

.tests/joplin-server-bf/scenario.assert

@@ -0,0 +1,37 @@
+len(results) == 1
+"1.2.3.4" in results[0].Overflow.GetSources()
+results[0].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4"
+results[0].Overflow.Sources["1.2.3.4"].Range == ""
+results[0].Overflow.Sources["1.2.3.4"].GetScope() == "Ip"
+results[0].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "joplin-server-bf.log"
+results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "joplin_server_failed_auth"
+results[0].Overflow.Alert.Events[0].GetMeta("service") == "joplin"
+results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[0].GetMeta("target_user") == "[email protected]"
+results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-09-23T10:33:45Z"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_path") == "joplin-server-bf.log"
+results[0].Overflow.Alert.Events[1].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[1].GetMeta("log_type") == "joplin_server_failed_auth"
+results[0].Overflow.Alert.Events[1].GetMeta("service") == "joplin"
+results[0].Overflow.Alert.Events[1].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[1].GetMeta("target_user") == "[email protected]"
+results[0].Overflow.Alert.Events[1].GetMeta("timestamp") == "2023-09-23T10:34:45Z"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_path") == "joplin-server-bf.log"
+results[0].Overflow.Alert.Events[2].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[2].GetMeta("log_type") == "joplin_server_failed_auth"
+results[0].Overflow.Alert.Events[2].GetMeta("service") == "joplin"
+results[0].Overflow.Alert.Events[2].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[2].GetMeta("target_user") == "[email protected]"
+results[0].Overflow.Alert.Events[2].GetMeta("timestamp") == "2023-09-23T10:35:45Z"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_path") == "joplin-server-bf.log"
+results[0].Overflow.Alert.Events[3].GetMeta("datasource_type") == "file"
+results[0].Overflow.Alert.Events[3].GetMeta("log_type") == "joplin_server_failed_auth"
+results[0].Overflow.Alert.Events[3].GetMeta("service") == "joplin"
+results[0].Overflow.Alert.Events[3].GetMeta("source_ip") == "1.2.3.4"
+results[0].Overflow.Alert.Events[3].GetMeta("target_user") == "[email protected]"
+results[0].Overflow.Alert.Events[3].GetMeta("timestamp") == "2023-09-23T10:36:45Z"
+results[0].Overflow.Alert.GetScenario() == "xs539/joplin-server-bf"
+results[0].Overflow.Alert.Remediation == true
+results[0].Overflow.Alert.GetEventsCount() == 4

.tests/joplin-server-logs/config.yaml

@@ -0,0 +1,9 @@
+parsers:
+- crowdsecurity/syslog-logs
+- crowdsecurity/dateparse-enrich
+- ./parsers/s01-parse/xs539/joplin-server-logs.yaml
+scenarios:
+postoverflows:
+log_file: joplin-server-logs.log
+log_type: joplin-server
+ignore_parsers: false

.tests/joplin-server-logs/joplin-server-logs.log

@@ -0,0 +1 @@
+2023-09-23 10:33:45: [error] App: 403: POST /api/sessions: 1.2.3.4: Invalid username or password: {"email":"[email protected]"}

.tests/joplin-server-logs/parser.assert

@@ -0,0 +1,38 @@
+len(results) == 4
+len(results["s00-raw"]["crowdsecurity/non-syslog"]) == 1
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Success == true
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["message"] == "2023-09-23 10:33:45: [error] App: 403: POST /api/sessions: 1.2.3.4: Invalid username or password: {\"email\":\"[email protected]\"}"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Parsed["program"] == "joplin-server"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_path"] == "joplin-server-logs.log"
+results["s00-raw"]["crowdsecurity/non-syslog"][0].Evt.Meta["datasource_type"] == "file"
+len(results["s00-raw"]["crowdsecurity/syslog-logs"]) == 1
+results["s00-raw"]["crowdsecurity/syslog-logs"][0].Success == false
+len(results["s01-parse"]["xs539/joplin-server-logs"]) == 1
+results["s01-parse"]["xs539/joplin-server-logs"][0].Success == true
+results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Parsed["timestamp"] == "2023-09-23 10:33:45"
+results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Parsed["message"] == "2023-09-23 10:33:45: [error] App: 403: POST /api/sessions: 1.2.3.4: Invalid username or password: {\"email\":\"[email protected]\"}"
+results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Parsed["program"] == "joplin-server"
+results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
+results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Parsed["target_user"] == "[email protected]"
+results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Meta["datasource_type"] == "file"
+results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Meta["log_type"] == "joplin_server_failed_auth"
+results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Meta["service"] == "joplin"
+results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Meta["source_ip"] == "1.2.3.4"
+results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Meta["target_user"] == "[email protected]"
+results["s01-parse"]["xs539/joplin-server-logs"][0].Evt.Meta["datasource_path"] == "joplin-server-logs.log"
+len(results["s02-enrich"]["crowdsecurity/dateparse-enrich"]) == 1
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Success == true
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["message"] == "2023-09-23 10:33:45: [error] App: 403: POST /api/sessions: 1.2.3.4: Invalid username or password: {\"email\":\"[email protected]\"}"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["program"] == "joplin-server"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["remote_addr"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["target_user"] == "[email protected]"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Parsed["timestamp"] == "2023-09-23 10:33:45"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_type"] == "file"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["log_type"] == "joplin_server_failed_auth"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["service"] == "joplin"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["source_ip"] == "1.2.3.4"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["target_user"] == "[email protected]"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["timestamp"] == "2023-09-23T10:33:45Z"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Meta["datasource_path"] == "joplin-server-logs.log"
+results["s02-enrich"]["crowdsecurity/dateparse-enrich"][0].Evt.Enriched["MarshaledTime"] == "2023-09-23T10:33:45Z"
+len(results["success"][""]) == 0

collections/xs539/bookstack.md

@@ -0,0 +1,21 @@
+## Bookstack collection
+
+A collection to defend Bookstack against common attacks :
+ - bookstack failed login
+
+
+## Acquisition template
+
+Example acquisition for this collection :
+
+```yaml
+---
+filenames:
+ - /var/log/bookstack.log
+labels:
+  type: bookstack
+---
+```
+
+notes :
+ - You will need to enable [Failed Access Logging](https://www.bookstackapp.com/docs/admin/security/#failed-access-logging) (off by default) 

collections/xs539/bookstack.yml

@@ -0,0 +1,8 @@
+parsers:
+  - xs539/bookstack-logs
+scenarios:
+  - xs539/bookstack-bf
+description: "Bookstack Support : parser and brute-force detection"
+author: xs539
+tags:
+  - Bookstack

collections/xs539/joplin-server.md

@@ -0,0 +1,17 @@
+## Joplin server collection
+
+A collection to defend Joplin server against common attacks :
+ - Joplin server failed login
+
+
+## Acquisition template
+
+Example acquisition config:
+```yaml
+---
+filenames:
+ - /var/log/joplin-server.log
+labels:
+  type: joplin-server
+---
+```

collections/xs539/joplin-server.yml

@@ -0,0 +1,8 @@
+parsers:
+  - xs539/joplin-server-logs
+scenarios:
+  - xs539/joplin-server-bf
+description: "Joplin Server Support : parser and brute-force detection"
+author: xs539
+tags:
+  - Joplin

parsers/s01-parse/xs539/bookstack-logs.md

@@ -0,0 +1,17 @@
+Parser for [Bookstack](https://www.bookstackapp.com/) logs
+
+You will need to enable [Failed Access Logging](https://www.bookstackapp.com/docs/admin/security/#failed-access-logging) (off by default) 
+
+```
+LOG_FAILED_LOGIN_MESSAGE="Failed login for %u"
+```
+
+Example acquisition config:
+```yaml
+---
+filenames:
+ - /var/log/bookstack.log
+labels:
+  type: bookstack
+---
+```

parsers/s01-parse/xs539/bookstack-logs.yaml

@@ -0,0 +1,22 @@
+onsuccess: next_stage
+filter: "Lower(evt.Parsed.program) in ['bookstack']"
+name: xs539/bookstack-logs
+description: "Parse bookstack logs"
+pattern_syntax:
+  BOOKSTACK_USER: "(%{EMAILADDRESS}|%{USERNAME})"
+nodes:
+  - grok:
+      pattern: '%{NGINXERRTIME:timestamp}%{GREEDYDATA}Failed login for %{BOOKSTACK_USER:target_user}%{GREEDYDATA}client: %{IPORHOST:remote_addr}'
+      apply_on: message
+      statics:
+        - meta: log_type
+          value: bookstack_failed_auth
+        - meta: target_user
+          expression: evt.Parsed.target_user
+statics:
+    - meta: service
+      value: bookstack
+    - target: evt.StrTime
+      expression: evt.Parsed.timestamp
+    - meta: source_ip
+      expression: evt.Parsed.remote_addr

parsers/s01-parse/xs539/joplin-server-logs.md

@@ -0,0 +1,11 @@
+Parser for [Joplin server](https://github.com/laurent22/joplin/tree/dev/packages/server) logs
+
+Example acquisition config:
+```yaml
+---
+filenames:
+ - /var/log/joplin-server.log
+labels:
+  type: joplin-server
+---
+```